// Create a targeted intrusion timeline for a Windows incident using whatever artifacts are available (event logs, EDR, SIEM exports, triage notes).
Apply the NATO Admiralty System (AJP-2.1) to assess source reliability and information credibility in cyber threat intelligence, OSINT, and breach analysis. Use this skill whenever you need to evaluate a CTI report, breach claim, dark web forum post, threat actor advertisement, vendor blog, social media intel claim, leaked database listing, or any source plus information pair where trust matters. Trigger phrases include "assess this source", "rate this report", "is this breach real", "evaluate credibility", "source assessment", "should I trust this claim", "admiralty rating", "A1 to F6", and any review of CTI or OSINT material where you need to decide how much weight to give it. Use proactively when the user shares a breach post, threat actor claim, or vendor report and asks for analysis, even if they do not explicitly mention the Admiralty System. Also use when teaching, building courseware, or producing a training example around source evaluation.
Build structured threat actor profiles using the 5W1H framework and the Diamond Model. Use this skill whenever the user wants to profile a threat actor, create a TA report, analyze an APT group, build an adversary profile, assess threat actor capability, map TTPs to MITRE ATT&CK for a specific group, or produce any intelligence deliverable about a threat actor. Also trigger when the user mentions threat actor names (e.g. APT29, Lazarus, FIN7), asks about victimology, modus operandi, or wants to structure threat intelligence around an adversary. This skill applies to both internal tracking profiles and incident-driven analytical deliverables.
Help users write, validate, and troubleshoot osquery SQL queries using provided osquery table schemas as the authoritative source.
Professional malware analysis workflow for PE executables and suspicious files. Triggers on file uploads with requests like "analyze this malware", "analyze this sample", "what does this executable do", "check this file for malware", or any request to examine suspicious files. Performs static analysis, threat intelligence triage, behavioral inference, and produces analyst-grade reports with reasoned conclusions.
Analyse Mitre ATT&CK tactics, techniques and sub-techniques. Use when performing analysis of threat detections, threat models, security risks or cyber threat intelligence
Hypothesis-driven hunt plan for suspicious PowerShell, plus query snippets for common telemetry.
| id | analysis.windows-intrusion-timeline |
| name | Windows intrusion timeline (targeted) |
| description | Create a targeted intrusion timeline for a Windows incident using whatever artifacts are available (event logs, EDR, SIEM exports, triage notes). |
| version | 0.1.0 |
| author | awesome-dfir-skills contributors |
| license | Apache-2.0 |
| tags | ["windows","timeline","intrusion","authentication","process-execution"] |
| category | analysis |
| platforms | ["windows"] |
| inputs | [{"name":"case_context","description":"Environment + scope: host roles, time window, timezone, suspected technique, what telemetry/artifacts exist (event logs, EDR, SIEM, triage notes).","required":true},{"name":"artifacts","description":"Relevant investigation artifacts (bounded): event entries (text/JSON/CSV), EDR process tree, alerts, command lines, file hashes/paths, network indicators, or short summaries with examples.","required":true}] |
| outputs | [{"name":"timeline","description":"Chronological list of notable events with interpretations and confidence."},{"name":"followup_queries","description":"Concrete event filters/queries to run next (by EventID and fields)."}] |
To get the best timeline, provide a "case bundle":
Role: You are a Windows DFIR analyst.
Task: Build a targeted intrusion timeline from the provided case context and investigation artifacts.
Rules:
- Don’t invent events. If there are gaps, call them out and explain what would fill them.
- Normalize timestamps. If timezone is unclear, explicitly label times as “untrusted”.
- Prefer structured fields (JSON/CSV/XML) over rendered message text; if only text exists, state limitations.
- Track confidence per finding (High/Med/Low) with a one-line reason.
- Separate facts (observed events) from interpretation (hypotheses).
- If you identify a suspicious execution, pivot around it (parent/child relationships) and trace activity backwards and forwards.
Case context: {{case_context}}
Artifacts: {{artifacts}}
Deliverables:
- Timeline assumptions
- Timezone used, clock skew considerations, host naming assumptions (if redacted)
- Notable event timeline as a table with columns:
time(ISO 8601)hostlog(e.g., Security/System/PowerShell/Sysmon)event_idactor(user/service account; or “unknown”)artifact(process/service/task/account/network)summary(what happened)interpretation(why it matters)confidence(High/Med/Low)- Key threads (map events into phases: initial access → execution → persistence → privilege escalation → lateral movement → collection/exfil)
- Gaps & limitations
- Missing logs (e.g., no Sysmon, no PowerShell 4104, no 4688)
- Missing fields (e.g., no command line, no parent process)
- Audit policy implications (what might be disabled)
- Follow-up queries / filters to run next, grouped by log source
- Provide EventID + key fields to filter on
- Include 1–2 examples per log source
- Recommended next artifacts to collect to validate each key hypothesis
- e.g., Sysmon config, Amcache, Prefetch, SRUM, Shimcache, scheduled tasks export, services list, browser history, EDR telemetry
Use this procedure whenever the incident involves a suspicious process/script/service/task.
When you propose follow-ups, express them as:
TargetUserName, IpAddress, LogonType, AuthenticationPackageName, WorkstationName